From garys@opusnet.com  Fri Jul 29 03:43:39 2005
Return-Path: <garys@opusnet.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3BA1716A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 29 Jul 2005 03:43:39 +0000 (GMT)
	(envelope-from garys@opusnet.com)
Received: from opusnet.com (mail.opusnet.com [209.210.200.6])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D259A43D46
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 29 Jul 2005 03:43:38 +0000 (GMT)
	(envelope-from garys@opusnet.com)
Received: from localhost.localhost [70.98.246.232] by opusnet.com with ESMTP
  (SMTPD32-8.05) id A5E64E5B00F0; Thu, 28 Jul 2005 20:43:34 -0700
Received: from localhost.localhost (localhost.localhost [127.0.0.1])
	by localhost.localhost (8.13.3/8.13.3) with ESMTP id j6T3iaBM081943
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Jul 2005 20:44:36 -0700 (PDT)
	(envelope-from garys@opusnet.com)
Received: (from jojo@localhost)
	by localhost.localhost (8.13.3/8.13.3/Submit) id j6T3iVOR081942;
	Thu, 28 Jul 2005 20:44:31 -0700 (PDT)
	(envelope-from garys@opusnet.com)
Message-Id: <o6mzo6b7j4.zo6@mail.opusnet.com>
Date: Thu, 28 Jul 2005 20:44:31 -0700
From: "Gary W. Swearingen" <garys@opusnet.com>
Reply-To: garys@opusnet.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: security(8) manpage should have init(8)'s list of security levels
X-GNATS-Notify:

>Number:         84266
>Category:       docs
>Synopsis:       [patch] security(8) manpage should have init(8)'s list of security levels
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gabor
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 29 03:50:20 GMT 2005
>Closed-Date:    Sun Feb 18 00:23:32 GMT 2007
>Last-Modified:  Sun Feb 18 00:23:32 GMT 2007
>Originator:     Gary W. Swearingen
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
none
>Environment:
n/a
>Description:

The init(8) manpage says what init(8) does with the system security levels,
but it's rather off-topic to have the description of the security levels
there.  The security(7) manpage is a better home for it.

>How-To-Repeat:
n/a

>Fix:
Move the descriptions and edit the contexts a bit.

I also changed "securelevel" to "secure level" a few times.

--- /pr/work/security..orig.7	Thu Jul 28 19:58:11 2005
+++ /pr/work/security.7	Thu Jul 28 20:33:59 2005
@@ -21,7 +21,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $FreeBSD: src/share/man/man7/security.7,v 1.39 2004/08/07 04:40:20 imp Exp $
+.\" $FreeBSD: Exp $
 .\"
 .Dd September 18, 1999
 .Dt SECURITY 7
@@ -498,14 +498,14 @@
 .Xr bpf 4
 device or other sniffing device on a running kernel.
 To avoid these problems you have to run
-the kernel at a higher secure level, at least securelevel 1.
-The securelevel can be set with a
+the kernel at a higher secure level, at least secure level 1.
+The secure level can be set with a
 .Xr sysctl 8
 on the
 .Va kern.securelevel
 variable.
 Once you have
-set the securelevel to 1, write access to raw devices will be denied and
+set the secure level to 1, write access to raw devices will be denied and
 special
 .Xr chflags 1
 flags, such as
@@ -515,7 +515,7 @@
 that the
 .Cm schg
 flag is set on critical startup binaries, directories, and
-script files \(em everything that gets run up to the point where the securelevel
+script files \(em everything that gets run up to the point where the secure level
 is set.
 This might be overdoing it, and upgrading the system is much more
 difficult when you operate at a higher secure level.
@@ -533,6 +533,62 @@
 It should be noted that being too draconian in
 what you attempt to protect may prevent the all-important detection of an
 intrusion.
+.Pp
+The kernel runs with five different levels of security.
+Any super-user process can raise the security level, but no process
+can lower it.
+The security levels are:
+.Bl -tag -width flag
+.It Ic -1
+Permanently insecure mode \- always run the system in level 0 mode.
+This is the default initial value.
+.It Ic 0
+Insecure mode \- immutable and append-only flags may be turned off.
+All devices may be read or written subject to their permissions.
+.It Ic 1
+Secure mode \- the system immutable and system append-only flags may not
+be turned off;
+disks for mounted file systems,
+.Pa /dev/mem ,
+.Pa /dev/kmem
+and
+.Pa /dev/io
+(if your platform has it) may not be opened for writing;
+kernel modules (see
+.Xr kld 4 )
+may not be loaded or unloaded.
+.It Ic 2
+Highly secure mode \- same as secure mode, plus disks may not be
+opened for writing (except by
+.Xr mount 2 )
+whether mounted or not.
+This level precludes tampering with file systems by unmounting them,
+but also inhibits running
+.Xr newfs 8
+while the system is multi-user.
+.Pp
+In addition, kernel time changes are restricted to less than or equal to one
+second.
+Attempts to change the time by more than this will log the message
+.Dq Time adjustment clamped to +1 second .
+.It Ic 3
+Network secure mode \- same as highly secure mode, plus
+IP packet filter rules (see
+.Xr ipfw 8 ,
+.Xr ipfirewall 4
+and
+.Xr pfctl 8 )
+cannot be changed and
+.Xr dummynet 4
+or
+.Xr pf 4
+configuration cannot be adjusted.
+.El
+.Pp
+The secure level is discussed further in
+.Xr init 8
+and can be configured with variables documented in
+.Xr rc.conf 8 .
 .Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC
 When it comes right down to it, you can only protect your core system
 configuration and control files so much before the convenience factor

--- /pr/work/init..orig.8	Thu Jul 28 19:59:24 2005
+++ /pr/work/init.8	Thu Jul 28 20:33:47 2005
@@ -29,7 +29,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)init.8	8.3 (Berkeley) 4/18/94
-.\" $FreeBSD: src/sbin/init/init.8,v 1.45 2004/07/22 10:38:13 keramida Exp $
+.\" $FreeBSD:  Exp $
 .\"
 .Dd April 18, 1994
 .Dt INIT 8
@@ -87,58 +87,9 @@
 is marked as
 .Dq secure .
 .Pp
-The kernel runs with five different levels of security.
-Any super-user process can raise the security level, but no process
-can lower it.
-The security levels are:
-.Bl -tag -width flag
-.It Ic -1
-Permanently insecure mode \- always run the system in level 0 mode.
-This is the default initial value.
-.It Ic 0
-Insecure mode \- immutable and append-only flags may be turned off.
-All devices may be read or written subject to their permissions.
-.It Ic 1
-Secure mode \- the system immutable and system append-only flags may not
-be turned off;
-disks for mounted file systems,
-.Pa /dev/mem ,
-.Pa /dev/kmem
-and
-.Pa /dev/io
-(if your platform has it) may not be opened for writing;
-kernel modules (see
-.Xr kld 4 )
-may not be loaded or unloaded.
-.It Ic 2
-Highly secure mode \- same as secure mode, plus disks may not be
-opened for writing (except by
-.Xr mount 2 )
-whether mounted or not.
-This level precludes tampering with file systems by unmounting them,
-but also inhibits running
-.Xr newfs 8
-while the system is multi-user.
-.Pp
-In addition, kernel time changes are restricted to less than or equal to one
-second.
-Attempts to change the time by more than this will log the message
-.Dq Time adjustment clamped to +1 second .
-.It Ic 3
-Network secure mode \- same as highly secure mode, plus
-IP packet filter rules (see
-.Xr ipfw 8 ,
-.Xr ipfirewall 4
-and
-.Xr pfctl 8 )
-cannot be changed and
-.Xr dummynet 4
-or
-.Xr pf 4
-configuration cannot be adjusted.
-.El
-.Pp
-If the security level is initially nonzero, then
+If the kernel security level (see
+.Xr security 7 )
+is initially nonzero, then
 .Nm
 leaves it unchanged.
 Otherwise,
@@ -161,9 +112,7 @@
 .Dq host system
 will not be effected.
 Part of the information set up in the kernel to support a jail
-is a per-jail
-.Dq securelevel
-setting.
+is a per-jail setting of the security level.
 This allows running a higher security level inside of a jail
 than that of the host system.
 See
@@ -392,19 +341,13 @@
 .Xr kill 1 ,
 .Xr login 1 ,
 .Xr sh 1 ,
-.Xr dummynet 4 ,
-.Xr ipfirewall 4 ,
-.Xr kld 4 ,
-.Xr pf 4 ,
 .Xr ttys 5 ,
-.Xr crash 8 ,
 .Xr getty 8 ,
 .Xr halt 8 ,
-.Xr ipfw 8 ,
 .Xr jail 8 ,
-.Xr pfctl 8 ,
 .Xr rc 8 ,
 .Xr reboot 8 ,
+.Xr security 7 ,
 .Xr shutdown 8 ,
 .Xr sysctl 8
 .Sh HISTORY
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: garys 
State-Changed-When: Fri Sep 2 14:58:09 GMT 2005 
State-Changed-Why:  
Patch has been written. 


Responsible-Changed-From-To: freebsd-doc->garys 
Responsible-Changed-By: garys 
Responsible-Changed-When: Fri Sep 2 14:58:09 GMT 2005 
Responsible-Changed-Why:  
I'll work this with mentor. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84266 
State-Changed-From-To: analyzed->patched 
State-Changed-By: garys 
State-Changed-When: Sat Sep 3 17:23:59 GMT 2005 
State-Changed-Why:  
Committed to HEAD only. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84266 
Responsible-Changed-From-To: garys->freebsd-doc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Jan 28 20:06:27 UTC 2006 
Responsible-Changed-Why:  
Assignee has asked to resign his commit bit, so return this one to pool. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84266 
State-Changed-From-To: patched->closed 
State-Changed-By: gabor 
State-Changed-When: Sun Feb 18 00:20:56 UTC 2007 
State-Changed-Why:  
It was committed to HEAD a long ago, thus the fix is part of RELENG_6 now. 


Responsible-Changed-From-To: freebsd-doc->gabor 
Responsible-Changed-By: gabor 
Responsible-Changed-When: Sun Feb 18 00:20:56 UTC 2007 
Responsible-Changed-Why:  
Track. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84266 
>Unformatted:
